This week, we briefed our clients on details of the widespread FortiBleed credential compromise and the breach that exposed data from the LastPass CRM.
KEY TAKEAWAYS
Widespread “FortiBleed” campaign targets thousands of devices, steals millions of credentials.
Critical and high-severity vulnerabilities in F5, Squid Proxy, Linux kernel SimpleHelp RMM, plus updates to CISA KEV, patch now!
In mid-June, security researcher Volodymyr "Bob" Diachenko made a post on LinkedIn stating he had discovered a list of plaintext passwords for Fortinet firewalls. The initial list he found contained credentials to 21,634 domains. Shortly after, researchers such as Kevin Beaumont confirmed the data was legitimate. A week later, Diachenko made another post detailing an astounding scope of this newly discovered campaign: A large-scale Russian-speaking group conducting credential harvesting against Fortinet FortiGate SSL VPN appliances worldwide, including 1.16 billion credential attempts against 320,777 FortiGate targets.
SOCRadar Reporting
Figuring out the full scale and scope of campaigns like this is no small task. SOCRadar recently published a very detailed breakdown of the history, scope, and inner workings of the FortiBleed campaign. Per their research, this campaign started at least as far back as February 28, 2026. The threat actors, believed to be Russian initial access brokers linked to the Lynx / INC ransomware group, initially targeted Sophos SSL-VPN, RDWeb portal (RDP), MSSQL, and Citrix instances. Hundreds of thousands of login URLs were enumerated during this phase.
In mid-May, the threat actor made the pivot to FortiGate devices. When the campaign was first disclosed, security researchers were unsure of how the threat actor was gaining access to the FortiGate, with certain theories pointing to the potential of a new 0-day vulnerability. However, per SOCRadar's research, it was found that the threat actor simply brute-forced SSH on exposed systems. The threat actor used compromised credential data from previous leaks, as well as a set of dictionaries of common username/password combinations for FortiGate administrative accounts, effectively performing a massive credential-stuffing attack. It should be noted that the majority of the observed compromised systems had the management interface exposed to the open internet.
Once this initial access was obtained, the threat actor deployed a custom Golang-based tool called FortigateSniffer. This tool abused the built-in diagnostic command "-diagnose sniffer packet" to passively capture authentication traffic that passed through the compromised FortiGate firewalls. The sniffer is designed to focus on 24 protocols, including TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MysQL, PostgreSQL, and Radius.
These captured credentials are then cracked using a distributed GPU cluster managed through Hashtopolis, using Hashcat as the cracking engine, which was orchestrated using a Telegram bot named HASHBOT.
Once the hashes were successfully cracked, the threat actor used a series of Python scripts to validate the credentials for further lateral movement. Credentialed access was also observed as a means to exfiltrate sensitive data from network shares using Impacket tools.
Scope
At the time of publication, the SOCRadar report shows a total of 80,553 FortiGate appliances across 23,406 domains were impacted. The majority of impacted organizations were small and medium-sized businesses (fewer than 500 employees and less than $100 million in annual revenue). While victims were found across the globe, India, the United States, and Taiwan were impacted the most, accounting for roughly a third of the compromises. IT services were the most heavily targeted sector.
How to Protect Your Organization
Organizations can determine if their domain was impacted by using the SOCRadar FortiBleed Check tool here. Any organization that is identified in the dataset are recommended to take the following actions:
If any suspicious activity is observed, assume compromise and implement incident response procedures.
Resources
https://socradar.io/wp-content/uploads/2026/06/Dismantling-FortiBleed.pdf
https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/
https://doublepulsar.com/fortibleed-75k-fortinet-firewalls-have-admin-passwords-cracked-60299faa65f8
https://www.hudsonrock.com/blog/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure
https://www.linkedin.com/feed/update/urn:li:activity:7472221360279207936/
https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html
"LastPass confirms data breach" was seen in many headlines last week. As LastPass is one of the most popular password managers, we wanted to give some added context and clarity regarding this event. LastPass did confirm that some of its data was accessed by threat actors. Per the disclosure, threat actors obtained OAuth tokens held by a third-party marketing intelligence firm, Klue. These tokens were then leveraged by the threat actor to access LastPass customer data within their Salesforce environment. The data accessed includes customer names, phone numbers, email addresses, physical addresses, as well as support case data and sales-related data.
LastPass emphasizes that LastPass products, services, and infrastructure were not impacted in any way. This means that no password vaults or stored credentials were touched our impacted. LastPass itself was not directly hacked, it was data held by a third-party provider.
LastPass customers should maintain extra vigilance against potential phishing attacks, as attackers can use the accessed data to craft more convincing phishing lures. Customers should know that LastPass will never ask for their master password, and this password should never be disclosed to anybody.
Resources
Vulnerability Roundup
F5 recently disclosed 2 critical remote code execution flaws in NGINX Open Source. CVE-2026-42530 is a use-after-free flaw that affects NGINX Open Source instances configured to use the HTTP/3 QUIC module. CVE-2026-42055 is a heap-based buffer overflow flaw in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. Both flaws can be exploited by remote unauthenticated attackers. A full list of impacted products and versions for CVE-2026-42530 can be found here. A full list of impacted products and versions for CVE-2026-42055 can be found here. If patches can not be applied, administrators can mitigate CVE-2026-42530 by disabling HTTP/3, and CVE-2026-42055 can be mitigated by removing the ignore_invalid_headers off directive from the configuration, or by reducing the large_client_header_buffers directive size below 2 MB.
Researchers at Calif.io disclosed a vulnerability they discovered using Claude Mythos in Squid web proxy that has been present for over 29 years. Dubbed "Squidbleed" (CVE-2026-47729), the flaw resides in Squid's FTP directory-listing parser and allows an attacker using the same proxy to leak another user's cleartext HTTP request, including credentials or session tokens. HTTPS traffic is protected from this flaw, except where Squid actively decrypts and inspects encrypted traffic. Administrators can address the flaw by patching to version 7.7, or by disabling FTP.
Red Hat disclosed a privilege escalation vulnerability in the Linux kernel, nicknamed "pedit COW". Tracked as CVE-2026-46331, the flaw is an out-of-bounds write in the Linux kernel's traffic control subsystem (act_pedit), which enables corruption of page cache memory. A user with a local account could exploit this vulnerability to gain root access. As proof-of-concept exploit code is in the wild, administrators are urged to patch as soon as possible by applying the latest kernel updates. If updating is not possible, see the mitigation recommendations from Red Hat here.
https://access.redhat.com/security/vulnerabilities/RHSB-2026-008
https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html
Another Linux privilege escalation flaw with a working exploit was disclosed by JFrog Security Research. The flaw is dubbed "DirtyClone", and is considered to be part of the "DirtyFrag" vulnerability family. Tracked as CVE-2026-43503, the vulnerability allows a local user to corrupt file-backed memory through a cloned network packet and gain root. Details of the vulnerability and corresponding exploit can be found in the JFrog research here. An official fix for the vulnerability was made available in v7.1-rc5 of the Linux kernel on May 24. As proof-of-concept exploit code is in the wild, administrators are urged to patch as soon as possible.
https://research.jfrog.com/post/dissecting-and-exploiting-linux-lpe-variant-dirtyclone-cve-2026-43503/
https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html
SimpleHelp recently disclosed a maximum-severity vulnerability in its remote management software. Tracked as CVE-2026-48558, the authentication bypass flaw allows unauthenticated attackers to forge identity tokens, allowing them to obtain a "fully authenticated technician session." The vulnerability impacts SimpleHelp versions 5.5.15 and prior, as well as 6.0 pre-release versions. Additionally, successful exploitation requires the following conditions: OpenID Connect (OIDC) authentication must be enabled, at least one Technician Group must be associated with the OIDC provider, and the group must have "Allow group authenticated logins" enabled. SimpleHelp released versions 5.5.16 and 6.0RC2 to address the vulnerability. Administrators are urged to update as soon as possible, as proof-of-concept exploits are in the wild.
https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/
https://simple-help.com/security/simplehelp-security-update-2026-05
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Visit our Cyber Threat Profile Blog for detailed intelligence profiles.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.